Security risk to eval?

Discussion in 'Javascript' started by optimistx, Nov 25, 2009.

  1. optimistx

    optimistx Guest

    Assume:

    1) A programmer has written a htlm page with javascript code, which is
    loaded to and executed in client's computer.

    2) The http-server, which is sending the page, does not execute php, does
    not use ajax, does not use passwords, has sql-files (=the most typical
    server serving simple pages to clients). http-get-requests are used.

    I cannot imagine how the client could damage the server, if the loaded page
    allows the client to execute any javascript code without any checking, e.g.
    with eval. E.g. there could be a textarea, which the client can fill with
    any js code imaginable and the contents is eval'd in client's computer.

    Would this be a security risk for the server? Or for the client so that the
    client could blame the programmer?
    optimistx, Nov 25, 2009
    #1
    1. Advertising

  2. optimistx

    Evertjan. Guest

    optimistx wrote on 25 nov 2009 in comp.lang.javascript:

    > Assume:
    >
    > 1) A programmer has written a htlm page with javascript code, which
    > is loaded to and executed in client's computer.
    >
    > 2) The http-server, which is sending the page, does not execute php,
    > does not use ajax, does not use passwords, has sql-files (=the most
    > typical server serving simple pages to clients). http-get-requests are
    > used.


    Not javascript related.

    > I cannot imagine how the client could damage the server, if the loaded
    > page allows the client to execute any javascript code without any
    > checking, e.g. with eval. E.g. there could be a textarea, which the
    > client can fill with any js code imaginable and the contents is eval'd
    > in client's computer.


    A programmar [are you one?] should always be able to imagine.


    > Would this be a security risk for the server? Or for the client so
    > that the client could blame the programmer?


    You are mixing the concepts of user and client making your Q nonsensical.

    Everyone blames the programmer, and rightly so.
    Withhout programmers, who would there be left to blame in cyberspace?

    The user is always as risk,
    as is his destiny as an programmingwize unintelligent being.

    The client [=browser] itself is not at risk, the clientside data could be
    so.

    The server data are only at risk in the case of an unfavorable
    hacker/manager intelligence cum knowledge index, which usually is the
    case.


    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
    Evertjan., Nov 25, 2009
    #2
    1. Advertising

  3. optimistx

    optimistx Guest

    Re: Security risk to eval?(NO sql)

    Evertjan. wrote:
    > optimistx wrote on 25 nov 2009 in comp.lang.javascript:
    >
    >> Assume:
    >>
    >> 1) A programmer has written a htlm page with javascript code, which
    >> is loaded to and executed in client's computer.
    >>
    >> 2) The http-server, which is sending the page, does not execute php,
    >> does not use ajax, does not use passwords, has sql-files (=the most
    >> typical server serving simple pages to clients). http-get-requests
    >> are used.

    >
    > Not javascript related.

    ....
    There was a typo in my entry, should be: NO sql- files.
    optimistx, Nov 25, 2009
    #3
  4. optimistx meinte:
    > Assume:
    >
    > 1) A programmer has written a htlm page with javascript code, which is
    > loaded to and executed in client's computer.
    >
    > 2) The http-server, which is sending the page, does not execute php,
    > does not use ajax, does not use passwords, has sql-files (=the most
    > typical server serving simple pages to clients). http-get-requests are
    > used.


    SQL and no PHP (or other server side scripting)? I'm intrigued... (Or
    what are "sql-files"?)

    > Would this be a security risk for the server? Or for the client so that
    > the client could blame the programmer?


    Since I cannot imagine the upper "configuration", it's up to the
    programmer to figure out explanations.

    Gregor


    --
    http://www.gregorkofler.com
    Gregor Kofler, Nov 25, 2009
    #4
  5. Re: Security risk to eval?(NO sql)

    optimistx meinte:

    > There was a typo in my entry, should be: NO sql- files.


    Ok. That makes risks pretty negligible. However, now you don't need a
    "programmer" anymore. An "author" suffices.

    Gregor

    --
    http://www.gregorkofler.com
    Gregor Kofler, Nov 25, 2009
    #5
  6. optimistx

    optimistx Guest

    Gregor Kofler wrote:
    that the client could blame the programmer?
    >
    > Since I cannot imagine the upper "configuration", it's up to the
    > programmer to figure out explanations.
    >
    > Gregor

    Sorry, there is a typo in my entry, should be : NO sql
    optimistx, Nov 25, 2009
    #6
  7. optimistx

    JR Guest

    On Nov 25, 5:41 am, "optimistx" <> wrote:
    > Assume:
    >
    > 1) A programmer has written a htlm page with  javascript code, which is
    > loaded to and executed in client's computer.


    I remember creating a page like that in 2000, when I still didn't use
    a server-side scripting language, such as PHP or ASP.


    > 2) The http-server, which is sending the page, does not execute php, does
    > not use ajax, does not use passwords, has [NO] sql-files (=the most typical
    > server serving simple pages to clients). http-get-requests are used.
    >
    > I cannot imagine how the client could damage the server, if the loaded page
    > allows the client to execute any javascript code without any checking, e.g.
    > with eval. E.g. there could be a textarea, which the client can fill with
    > any js code imaginable and the contents is eval'd in client's computer.
    >
    > Would this be a security risk for the server? Or for the client so that the
    > client could blame the programmer?


    A hacker could try a "denial-of-service" attack (http://
    en.wikipedia.org/wiki/Denial-of-service_attack).
    However, real hackers tend to focus efforts on things that bring them
    financial return.

    Cheers,
    JR
    JR, Nov 25, 2009
    #7
  8. optimistx

    JR Guest

    On Nov 25, 12:39 pm, JR <> wrote:
    > On Nov 25, 5:41 am, "optimistx" <> wrote:
    >
    > > Assume:

    >
    > > 1) A programmer has written a htlm page with  javascript code, which is
    > > loaded to and executed in client's computer.

    >
    > I remember creating a page like that in 2000, when I still didn't use
    > a server-side scripting language, such as PHP or ASP.
    >
    > > 2) The http-server, which is sending the page, does not execute php, does
    > > not use ajax, does not use passwords, has [NO] sql-files (=the most typical
    > > server serving simple pages to clients). http-get-requests are used.

    >
    > > I cannot imagine how the client could damage the server, if the loaded page
    > > allows the client to execute any javascript code without any checking, e.g.
    > > with eval. E.g. there could be a textarea, which the client can fill with
    > > any js code imaginable and the contents is eval'd in client's computer.

    >
    > > Would this be a security risk for the server? Or for the client so thatthe
    > > client could blame the programmer?

    >
    > A hacker could try a "denial-of-service" attack (http://
    > en.wikipedia.org/wiki/Denial-of-service_attack).
    > However, real hackers tend to focus efforts on things that bring them
    > financial return.
    >
    > Cheers,
    > JR


    Never mind if your page won't submit the client code to the server.

    Cheers,
    JR
    JR, Nov 25, 2009
    #8
  9. In comp.lang.javascript message <4b0cdfa2$0$3885$>,
    Wed, 25 Nov 2009 09:41:27, optimistx <> posted:
    >
    >Would this be a security risk for the server? Or for the client so that
    >the client could blame the programmer?


    We do not know who you are, and we do not know who else will read this
    thread.

    Therefore, while we might reasonably answer "Yes" or "No", we cannot
    safely justify an answer of "Yes" by explanation of details, since we
    might therefore make ourselves inadvertent accessories before the act.

    I do know of a fault in one current/recent browser which gives the
    appearance of an untrapped exceeding of range of a form which might
    allow the execution of random or arbitrary code; so my answer is
    "Perhaps yes". Unfortunately the browser does not seem to offer a
    secure-seeming fault reporting system.

    --
    (c) John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v6.05 MIME.
    Web <URL:http://www.merlyn.demon.co.uk/> - FAQish topics, acronyms, & links.
    Proper <= 4-line sig. separator as above, a line exactly "-- " (SonOfRFC1036)
    Do not Mail News to me. Before a reply, quote with ">" or "> " (SonOfRFC1036)
    Dr J R Stockton, Nov 25, 2009
    #9
  10. optimistx

    optimistx Guest

    Dr J R Stockton wrote:
    ....
    > I do know of a fault in one current/recent browser which gives the
    > appearance of an untrapped exceeding of range of a form which might
    > allow the execution of random or arbitrary code; so my answer is
    > "Perhaps yes".


    Thanks for the info.

    Is it like this:

    If the page contains a form, which is set by a post or
    get http-request to the server, a malignant user of some defective
    browser can fill something in
    a form on a page so that server security is at risk even
    in the case when the
    server does not contain any code from the author to handle the
    request ?

    If it is so I could imagine a malignant user to construct a bookmarklet
    to ANY page, where execution of javascript is allowed
    and do the unspecified trick above. Even
    on a page which does not contain any javascript code originally.

    If it is so, me allowing the user to execute any code using eval
    (constructed
    by the user) does not increase the risk for the server (?).
    optimistx, Nov 26, 2009
    #10
  11. optimistx meinte:
    > Dr J R Stockton wrote:
    > ...
    >> I do know of a fault in one current/recent browser which gives the
    >> appearance of an untrapped exceeding of range of a form which might
    >> allow the execution of random or arbitrary code; so my answer is
    >> "Perhaps yes".

    >
    > Thanks for the info.
    >
    > Is it like this:
    >
    > If the page contains a form, which is set by a post or
    > get http-request to the server, a malignant user of some defective
    > browser can fill something in
    > a form on a page so that server security is at risk even
    > in the case when the
    > server does not contain any code from the author to handle the
    > request ?


    What's a form good for, without server side scripting (which you don't
    have)?

    The only thing a user could do, is exploit a vulnerability in the
    webserver application. When using a popular webserver (like Apache),
    vulnerabilities are rare and fixed quickly.

    Gregor


    --
    http://www.gregorkofler.com
    Gregor Kofler, Nov 26, 2009
    #11
  12. optimistx

    optimistx Guest

    Gregor Kofler wrote:
    ....
    > What's a form good for, without server side scripting (which you don't
    > have)?
    >
    > The only thing a user could do, is exploit a vulnerability in the
    > webserver application. When using a popular webserver (like Apache),
    > vulnerabilities are rare and fixed quickly.
    >
    > Gregor


    ok, good to know.

    One can use the input elements inside the form ( or without an actual
    form)e.g.
    to receive user input and store it to a cookie in user's hard disk, if
    allowed.
    In the next session js-code reads the cookie.
    optimistx, Nov 26, 2009
    #12
  13. On 26 Nov, 15:16, Christian Kirsch wrote:
    > optimistx schrieb:
    >> One can use the input elements inside the form ( or without an
    >> actual form)e.g.

    <snip>>
    > Input elements outside of forms dont conform to HTML standards,
    > AFAIK.

    <snip>

    Input elements outside of forms are fine (by HTML spec and otherwise).
    They will not be involved in submitting to the server if used in that
    way, but can still be used in a javascript driven UI.

    Richard.
    Richard Cornford, Nov 26, 2009
    #13
  14. optimistx

    optimistx Guest

    Christian Kirsch wrote:
    > optimistx schrieb:
    >
    >> One can use the input elements inside the form ( or without an actual
    >> form)e.g.
    >> to receive user input and store it to a cookie in user's hard disk,
    >> if allowed.
    >> In the next session js-code reads the cookie.
    >>

    >
    > Input elements outside of forms dont conform to HTML standards, AFAIK.
    >
    > And how are you going to "receive" input and "store" it wherever
    > without a program on the server side?


    Cookies reside in the user's computer with the browser. They are stored
    there,
    when the js-code is executed. There needs to be no programmatic
    handling at the server. (but perhaps cookies make some trips back and forth
    anyhow?)
    optimistx, Nov 26, 2009
    #14
  15. optimistx meinte:

    > Cookies reside in the user's computer with the browser. They are stored
    > there,
    > when the js-code is executed. There needs to be no programmatic
    > handling at the server. (but perhaps cookies make some trips back and forth
    > anyhow?)


    Yes they do. That's why they are. But without server-side scripting they
    are relatively useless (and again no security issue for the server).

    Gregor


    --
    http://www.gregorkofler.com
    Gregor Kofler, Nov 26, 2009
    #15
  16. In comp.lang.javascript message <4b0e5a7f$0$3870$>,
    Thu, 26 Nov 2009 12:37:53, optimistx <> posted:
    >Dr J R Stockton wrote:
    >...
    >> I do know of a fault in one current/recent browser which gives the
    >> appearance of an untrapped exceeding of range of a form which might
    >> allow the execution of random or arbitrary code; so my answer is
    >> "Perhaps yes".

    >
    >Thanks for the info.
    >
    >Is it like this:
    >
    >If the page contains a form, which is set by a post or
    >get http-request to the server, a malignant user of some defective
    >browser can fill something in
    >a form on a page so that server security is at risk even
    >in the case when the
    >server does not contain any code from the author to handle the
    >request ?



    It bears no resemblance whatever to that. The words "of a form" may
    have deceived you; substitute "in a manner".

    The possible breach of security/safety, if actual, could be employed by
    the author to attack the reader's machine; or could cause the reader to
    inadvertently damage his system.

    Again : although it is an undeniable and fix-worthy browser flaw, there
    is only a possibility that it could be an exploitable one.

    --
    (c) John Stockton, nr London, UK. ?@merlyn.demon.co.uk Turnpike v6.05 MIME.
    Web <URL:http://www.merlyn.demon.co.uk/> - FAQqish topics, acronyms & links;
    Astro stuff via astron-1.htm, gravity0.htm ; quotings.htm, pascal.htm, etc.
    No Encoding. Quotes before replies. Snip well. Write clearly. Don't Mail News.
    Dr J R Stockton, Nov 27, 2009
    #16
  17. In comp.lang.javascript message <helv93$44a$>,
    Thu, 26 Nov 2009 14:19:31, Gregor Kofler <>
    posted:
    >optimistx meinte:
    >> Dr J R Stockton wrote:
    >> ...
    >>> I do know of a fault in one current/recent browser which gives the
    >>> appearance of an untrapped exceeding of range of a form which might
    >>> allow the execution of random or arbitrary code; so my answer is
    >>> "Perhaps yes".

    >> Thanks for the info.
    >> Is it like this:
    >> If the page contains a form, which is set by a post or
    >> get http-request to the server, a malignant user of some defective
    >> browser can fill something in
    >> a form on a page so that server security is at risk even
    >> in the case when the
    >> server does not contain any code from the author to handle the
    >> request ?

    >
    >What's a form good for, without server side scripting (which you don't
    >have)?


    Why do you say that Optimistx, to whom you are responding, does not have
    server-side scripting?

    Note that an insecurity can be detected by using only a local script in
    a local page. ***IF*** I were to write, on a local machine, a page
    which in browser X could, merely by executing some script as a result of
    selecting some button, read anything it liked from the machine's disc
    and write it into, say, an inconspicuous textarea in a form, ***THEN***
    you, for example, could put corresponding script on a web page with
    client/server interaction and read the hard discs of those who read your
    page with browser X.

    Quite independently of the submit mechanism, a form is a useful way of
    containing a set of controls with a local name-space. For example, if a
    form button's onClick is set to "Func(this.form)", then a routine
    declared by function Func(F) can address other elements of the form
    as properties of F - and the same Func can be used for more than one
    form.

    --
    (c) John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v6.05 MIME.
    Web <URL:http://www.merlyn.demon.co.uk/> - FAQish topics, acronyms, & links.
    Proper <= 4-line sig. separator as above, a line exactly "-- " (SonOfRFC1036)
    Do not Mail News to me. Before a reply, quote with ">" or "> " (SonOfRFC1036)
    Dr J R Stockton, Nov 27, 2009
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. S. Justin Gengo

    Blocking down level browsers- what is the risk?

    S. Justin Gengo, Apr 16, 2004, in forum: ASP .Net
    Replies:
    7
    Views:
    300
    S. Justin Gengo
    Apr 17, 2004
  2. Thirsty Traveler

    Query string variables security risk

    Thirsty Traveler, Apr 5, 2006, in forum: ASP .Net
    Replies:
    7
    Views:
    3,032
    Chris Fulstow
    Apr 9, 2006
  3. Roedy Green

    HTTP content-length a security risk?

    Roedy Green, Feb 13, 2006, in forum: Java
    Replies:
    2
    Views:
    724
    Chris Uppal
    Feb 14, 2006
  4. Doogie

    Session Timeout Security Risk?

    Doogie, May 2, 2007, in forum: ASP .Net
    Replies:
    2
    Views:
    2,623
    bruce barker
    May 2, 2007
  5. Justin Dutoit

    Can LINQ be a security risk?

    Justin Dutoit, Feb 13, 2009, in forum: ASP .Net
    Replies:
    2
    Views:
    563
    Mr. Arnold
    Feb 14, 2009
Loading...

Share This Page